Suspicious Process Masquerading As SvcHost.EXE

calendar Jul 1, 2025 · attack.defense-evasion attack.t1036.005  ·
Share on: linkedin copy

Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.

Sigma rule (View on GitHub)

 1title: Suspicious Process Masquerading As SvcHost.EXE
 2id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
 3related:
 4    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
 5      type: similar
 6    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
 7      type: similar
 8status: test
 9description: |
10    Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
11    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.    
12references:
13    - https://tria.ge/240731-jh4crsycnb/behavioral2
14    - https://redcanary.com/blog/threat-detection/process-masquerading/
15author: Swachchhanda Shrawan Poudel
16date: 2024-08-07
17tags:
18    - attack.defense-evasion
19    - attack.t1036.005
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\svchost.exe'
26    filter_main_img_location:
27        Image:
28            - 'C:\Windows\System32\svchost.exe'
29            - 'C:\Windows\SysWOW64\svchost.exe'
30    filter_main_ofn:
31        OriginalFileName: 'svchost.exe'
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Unlikely
35level: high

References

Related rules

to-top